Thank you Steve for your kindly clarification. However, I have a concern if
the digest of X509_CINF could also be called as certificate thumbprint?
Can i find out the defination in any standard document. I try to google it,
i did not get any result.
2009/1/18 Dr. Stephen Henson <st...@openssl.org>
> On Sun, Jan 18, 2009, Anri Lau wrote:
>
> > Hi all
> >
> > I use the following code piece to create the digest of certificate
> >
> > p = *p_key_buf;*
> > * /* get the certificate body as a DER string */
> > if ( i2d_X509_CINF(m_x509->cert_info, &p) == 0 )
> > {
> > printf("Ci2d_X509_CINF failed\n");
> > return;
> > }
> > length = p - p_key_buf;
> > if ( length > 8192 )
> > {
> > printf("i2d_X509_CINF value exceeds buffer length");
> > return ;
> > }
> > SHA1_Init(&SHA);
> > SHA1_Update(&SHA, p_key_buf, length);
> > SHA1_Final(sha_value, &SHA);
> > *
> > And the result of above code is different from X509_digest() 's. My
> openssl
> > version is 0.9.8f.
> >
> > Is it correct?
> >
>
> Your code isn't taking the digest of the whole certificate just the
> X509_CINF
> portion. If you want the whole certificate use i2d_X509 on m_x509.
>
> Your length checking code is also broken: it check the length *after* the
> buffer may have already been overwritten.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
--
Best regards to you and your family
